Safe Harbo(u)r – What can organisations do now?
So, Safe Harbo(ur), much like the Norweigan Blue Parrot, has joined the choir eternal. The Article 29 Working Party are clear – it is no longer a lawful basis under which data can be transferred to the United States.
While we await confirmation of the adequacy of the Privacy Shield (see here and here for our thoughts on that), organisations are faced with either getting their US-based suppliers to adopt Model Contract Clauses (which may not be a long term solution), or finding EU hosted services to replace the functionality of these services.
Unfortunately there is an imbalance of power for many organisations when dealing with US-based service providers and many of our clients have found themselves relying on organisations that STILL rely on Safe Harbo(u)r to validate data transfers to the United States. These include a number of very large and market-dominant companies for cloud-based CRM (Salesforce.com – I’m looking at you).
What can organisations do if they are uncertain about the risk of data transfer to the United States? One option is to seek out EU-based alternatives. We have had to do this ourselves for a number of our back-office functions. It was a little frustrating, but we managed to find a number of comparable services and then kicked the tyres on them to find ones we could work with. Note that any reference to a product here is not an endorsement and all links are provided for information purposes only. Also – when conducting due diligence on providers it is important to ‘trust but verify’ and check where their data is actually hosted. Services that are ostensibly EU-based may be relying on Model Clauses or similar in the background for their hosting… often this is not transparent.
A useful resource (which has helped us in our search for tools) is www.endofsafeharbor.eu. Rather than keeping our list updated, we will be referring people there. Any service provider reading this who is confident they are keeping their data in the EU should really get in touch with the guys over there and get added to their list. (note:
Currently many SMEs use services like Mailchimp to run their bulk email marketing. I know we did (for the intermittent email marketing we’ve done). Alternatives:
- SensorPro.net – Irish bulk email and survey tool provider. Free email marketing for 1 year. Tiered pricing thereafter. Their email service is also branded as Newsletter.ie
- Mailjet – French-based bulk email provider. Free to use below certain mail volumes. Similar user experience to Mailchimp.
- Teenvio – Spanish bulk email provider. Downside is website is in Spanish, but they appear to be in the process of localising to English.
SurveyMonkey has cornered the market for on-line surveys with SMEs, particularly for ease of use. Alternatives we have identified:
- SmartSurvey.co.uk – UK based survey tool. Very similar in look and feel to Surveymonkey (but with less bananas).
- Sensorpro.net – Very clearly marketed as a professional survey tool for professional surveys, SensorPro is a powerful service, based in Limerick.
- Jotform – US based tool that has created an EU-based instance of their service (see… it can be done).
- Plan.io – German based Project Management tool with basic CRM
- Teamwork.com – Irish based project management tool. (Caveat: may be relying on Model Clauses within Amazon Web Services hosting as there is nothing explicit on their site).
Document Sharing & Collaboration
Dropbox, Box.net, Google Docs… these are a variety of tools that are commonly used. And all of them require data to transit to the US. Alternatives:
- Zettabox.com – who got some good PR by meeting with EU Commission people during Safe Harbo(u)r negotiations
- Treevue.com – Interesting product with some powerful audit controls.
- R2Docuo – another interesting document sharing and collab tool.
- Tresorit.com – fully end-to-end encrypted cloud storage with some powerful access control features.
The upshot is that there are a range of products/services available that can provide business certainty to organisations trying to navigate the broken harbor while we wait for the Shield. Some types of product are not directly mappable however, or are not available on commercial terms or price points that would suit all types of organisation. To that end, organisations need to balance risk versus holding out for a firm deal on Privacy Shield. In the meantime, I’d advise phone account managers or writing letters to raise the fact of illegality with service providers still relying on Safe Harbo(u)r and persuade them to, at the very least, provide Model Clauses ASAP.